discussion: organizing Android/mobile focused capa rules

[mike-hunhoff]

          Collecting my thoughts here but happy to spin off separate issues/discussions.

• I like the in .NET on Android naming
• so far rules are inconsistent requiring format/os
  • this doesn't seem to be a problem though
• important are:
  • rule readability and
  • organization
  • 1. duplicate all directories under android parent?
  • 2. only update namespaces to start with android/ root <-- my preferred option
• testfiles should go into android directory

related discussion: https://github.com/mandiant/capa/discussions/701 (Rule organization for multiple file types PE and ELF)

Originally posted by @mr-tz in https://github.com/mandiant/capa-rules/issues/824#issuecomment-1757162927

[williballenthin]

for (2), the files would be placed in the existing directories but the namespaces would not exactly match the directory?

[williballenthin]

as we discuss here, let's keep in mind there are other dimensions as well, like arch and format. these are probably less selective/important than OS, but i wonder if conceptually they're the same, or we should give more stock to OS (such as by codifying its location in the namespace).

[mr-tz]

Hm, interesting idea to use the namespace here more. Alternatively, we could add a new meta field (or fields) that specify os/format/arch? Like windows/pe/i386 or android/elf/amd64...